Into to OAuth-Verse

Published at 2025-01-16

Description

Ready to dive into the world of OAuth 2 and discover why it’s the reigning champion of API security? In this talk, we’ll unlock the mysteries behind API authorization, break down the problems OAuth solves, and examine why older methods are best left in the past.

We’ll journey through the OAuth grant types, revealing when to use each and when to steer clear. We’ll also uncover the unique hurdles that native apps, like mobile apps, face—and the clever tricks to overcome them. Finally, we’ll gaze into the future of OAuth, exploring modern specs and how to make the most of what’s already out there.

If you’re after a talk that will give you the confidence to tackle any OAuth implementation and the insight to build bulletproof security solutions, you’re in the right place. Join us, and let’s level up your OAuth game together!

Notes

Objectives

  • Understand API Authorization.
  • Identify Problems Solved by OAuth.
  • Explore Grant Types.
  • Discover Available Tools.

Grant Types

  • Authorization Code
  • Implicit Flow (For mobile applications)
  • Proof Key for Code Exchange (PKCE)
  • Client Credentials
  • Refresh Flow
  • Device Flow
  • Backend for Frontend (BFF)
  • Hybrid Flow

OAuth 2.0

  • Recognized as the gold standard for API Authorization.

API Security Solutions

Then:

  • On-Premise Systems.
  • Centralized Architectures.
  • XML-Based.
  • SOAP Protocols.
  • SAML or WS-Security.

Now:

  • Mobile-Friendly.
  • Decentralized Systems.
  • JSON-Based.
  • HTTP APIs.
  • OAuth and OpenID Connect.

Authentication vs Authorization

Authentication

  • Verifies Identity.
  • Involves credentials like username and password.

Authorization

  • Grants permission to external services to access your resources.
  • Implemented using OAuth.

Example: Adding Zoom to Calendar

  • Use OAuth to allow Zoom API access for creating meetings on the user’s behalf.
  • Permissions:
    • Can Create meetings.
    • Cannot Read existing meetings.
    • Cannot Delete meetings.

Credential Sharing in the Past

  • Problems:
    • Impersonation.
    • Difficulty in revocation.
    • Exposed credentials leading to security risks.

Comments

No comments yet. Be the first to comment!

Add a Comment

Wyat © 2025